Password Entropy: How to Measure and Maximize Your Password Strength
You’ve probably been told that a “strong password” needs uppercase letters, numbers, and special characters. But P@$$w0rd! follows all those rules — and it can be cracked in under a second.
The real measure of password strength isn’t what characters you use. It’s entropy: a concept from information theory that quantifies how unpredictable your password actually is.
In this guide, you’ll learn exactly how password entropy works, how to calculate it, and how to generate passwords that are genuinely hard to crack.
What Is Password Entropy?
Password entropy measures how unpredictable a password is, expressed in bits. Each additional bit of entropy doubles the number of guesses an attacker needs to crack it through brute force.
Think of it like dice. A 6-sided die has about 2.6 bits of entropy per roll — there are only 6 possible outcomes. A 20-sided die has about 4.3 bits — more faces means more uncertainty.
Passwords work the same way: more possible characters (bigger “dice”) and more characters in the password (more “rolls”) both increase entropy.
This is why entropy is a better measure than complexity rules. A password can look complex (Tr0ub4dor&3) but have low entropy because it follows predictable patterns. Meanwhile, a simple-looking passphrase (correct horse battery staple) can have high entropy because it’s drawn from a large pool of possibilities.
The Formula: How to Calculate Password Entropy
The formula is straightforward:
E = L × log₂(R)
Where:
- E = entropy in bits
- L = password length (number of characters)
- R = pool size (number of possible characters per position)
Character Pool Sizes
| Character Type | Pool Size (R) | Bits per Character |
|---|---|---|
| Lowercase only (a-z) | 26 | 4.70 |
| Lowercase + digits | 36 | 5.17 |
| Upper + lower + digits | 62 | 5.95 |
| Full printable ASCII | 94 | 6.55 |
| Diceware word list | 7,776 | 12.92 per word |
Calculate It in Code
// Calculate password entropy in JavaScript
const entropy = (length, poolSize) =>
length * Math.log2(poolSize);
entropy(8, 26); // → 37.60 bits (lowercase only)
entropy(12, 62); // → 71.45 bits (alphanumeric)
entropy(16, 94); // → 104.87 bits (full charset)import math
def entropy(length: int, pool_size: int) -> float:
return length * math.log2(pool_size)
entropy(8, 26) # → 37.60 bits
entropy(12, 62) # → 71.45 bits
entropy(16, 94) # → 104.87 bitsImportant: this formula assumes each character is chosen uniformly at random. If a human picks the password using patterns or dictionary words, the actual entropy is much lower than the theoretical maximum.
How Much Entropy Is Enough?
The answer depends on what you’re protecting and how fast an attacker can guess.
Modern GPUs can test over 10¹² (one trillion) password hashes per second against fast algorithms like MD5. Here’s what that means in practice:
| Entropy (bits) | Strength | Crack Time at 10¹² guesses/s | Recommended For |
|---|---|---|---|
| < 40 | Weak | Under 1 second | Never use |
| 40–59 | Fair | Seconds to hours | Throwaway accounts |
| 60–79 | Strong | Days to centuries | Regular accounts |
| 80–99 | Very strong | Millennia+ | Email, banking |
| 100+ | Extreme | Beyond heat death of universe | Encryption keys, master passwords |
A 16-character password using the full printable ASCII set gives you about 105 bits of entropy — well into the “extreme” range. You can generate one instantly with our Random Password Generator, which shows real-time entropy analysis for every password.
What NIST Says (2024 Update)
NIST SP 800-63B, updated in 2024, made significant changes to password guidelines:
- Dropped mandatory complexity rules (no more forced special characters)
- Dropped mandatory periodic password changes
- Raises minimum to 15 characters (up from 8 in previous versions)
- Emphasizes screening against known breached passwords
- Favors length and randomness over complexity
These changes reflect what entropy math has always shown: length and randomness matter more than character variety.
Why Length Beats Complexity
Let’s look at the math. Consider two ways to increase entropy for a 12-character password:
Option A — Keep 12 characters, switch from alphanumeric (62) to full ASCII (94):
- 12 × log₂(94) - 12 × log₂(62) = 78.66 - 71.45 = +7.21 bits
Option B — Keep alphanumeric (62), add one more character (12 → 13):
- 13 × log₂(62) - 12 × log₂(62) = 77.40 - 71.45 = +5.95 bits
Adding a single character gives you almost as much entropy as switching to a much larger character set. Add two characters and you’ve surpassed it.
Now consider P@$$w0rd! (9 characters). It uses the full ASCII pool but is too short. Worse, it follows the predictable “leet speak” pattern that dictionary attacks already cover, so its effective entropy is far below the theoretical 59 bits.
The takeaway: for truly random passwords, adding length is more efficient than adding character types. But the real enemy is predictability, not shortness.
Passphrase vs Random Password
| Dimension | Random Password | Passphrase (Diceware) |
|---|---|---|
| Example | kX#9mP$2vL!nQ7wR | correct horse battery staple |
| Bits per unit | 6.55 per char | 12.92 per word |
| Length for ~78 bits | 12 characters | 6 words |
| Memorability | Poor | Good |
| Mobile typing | Painful | Easy |
| Best for | Password manager entries | Master passwords, memorized logins |
How Diceware Works
Diceware uses a word list of 7,776 entries (6⁵ = 7,776). You roll five dice to select each word, giving exactly 12.92 bits of entropy per word.
Four words gives ~51 bits; six words gives ~77 bits.
Which Should You Use?
- For passwords stored in a manager: use random 16+ character passwords with full character sets. You never type them manually, so memorability doesn’t matter. Our Random Password Generator can batch-generate up to 50 at once.
- For your master password: use a 5-6 word Diceware passphrase. It’s memorable enough to type daily while providing 64-77 bits of entropy.
- For API keys and tokens: use
openssl randorcrypto.randomBytes()for maximum entropy with no human-memorability requirement.
Entropy in Practice: Developer Tools and Code
Here are the most common ways developers generate high-entropy secrets:
Browser (Web Crypto API)
// Cryptographically secure password generation
function generatePassword(length, charset) {
const array = new Uint32Array(length);
crypto.getRandomValues(array);
return Array.from(array, v => charset[v % charset.length]).join('');
}
const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*';
generatePassword(16, chars);
// → 'kX#9mP$2vL!nQ7wR' (random each time)Node.js
const crypto = require('crypto');
const token = crypto.randomBytes(32).toString('base64url');
// → 'Ql2Hj8xK9mNp3rVw5tYz7uBa0cEf4gIk' (43 chars, 256 bits)Python
import secrets
token = secrets.token_urlsafe(32) # 256 bits of entropy
password = secrets.token_hex(16) # 128 bits, hex formatCommand Line
# 192 bits of entropy, base64 encoded
openssl rand -base64 24
# 256 bits, hex encoded
openssl rand -hex 32Entropy Comparison by Method
| Method | Output Length | Entropy (bits) |
|---|---|---|
| UUID v4 | 36 chars | 122 |
openssl rand -base64 24 | 32 chars | 192 |
| 16-char full ASCII | 16 chars | 105 |
| 6-word Diceware | ~30 chars | 78 |
| 4-word Diceware | ~20 chars | 52 |
Never use
Math.random()for anything security-related. It uses a non-cryptographic PRNG — the output is predictable if an attacker knows the seed. Always usecrypto.getRandomValues()in the browser orcrypto.randomBytes()in Node.js.
Password Storage: Why Entropy Alone Isn’t Enough
Even a 128-bit password is worthless if the server stores it as a plain MD5 hash. When a database leaks, attackers can test trillions of MD5 hashes per second on a single GPU.
This is where slow hashing algorithms come in. They deliberately make each guess expensive:
| Algorithm | Speed on GPU | Effective slowdown |
|---|---|---|
| MD5 | ~10 billion/s | Baseline (don’t use) |
| SHA-256 | ~5 billion/s | ~2× slower |
| bcrypt (cost=12) | ~5/s | ~2 billion× slower |
| argon2id | ~2/s | ~5 billion× slower |
bcrypt’s cost parameter is especially elegant: each increment doubles the work required. A cost factor of 12 means 2¹² = 4,096 rounds of hashing. This effectively adds 12 bits of “storage entropy” on top of the password’s own entropy.
The dual protection model: high-entropy passwords protect against offline brute force, while slow hashing protects against database leaks. You need both.
For more on hash algorithms, see our MD5 vs SHA-256 comparison and try the MD5 Hash Generator to explore how different algorithms produce different outputs.
Common Password Myths Debunked
”Change your password every 90 days”
NIST’s 2024 guidelines explicitly recommend against mandatory periodic changes. Frequent rotations lead users to choose weaker, more predictable passwords — adding a number at the end, cycling through a small set. Change passwords only when you have reason to believe they’ve been compromised.
”a→@, e→3 makes it stronger”
Leet speak substitutions are among the first patterns dictionary attacks check. Replacing a with @ in password adds virtually zero entropy because attackers already expect it.
True randomness — not clever substitutions — is what increases entropy.
”8 characters with symbols is enough”
Even with the full 94-character ASCII set, 8 characters gives only 52 bits of entropy. At 10¹² guesses per second, that’s cracked in about 75 minutes.
Use 12 characters minimum, 16+ for important accounts.
”The more complex it looks, the more secure it is”
Visual complexity and entropy are different things. Tr0ub4dor&3 looks complex but follows a predictable base-word-plus-substitutions pattern. mfYq8kL2nR looks simpler but has higher entropy because it’s truly random.
For more on building a comprehensive security strategy, see Web Security Essentials.
FAQ
How many bits of entropy is considered secure?
For most online accounts, 60-80 bits provides strong protection. For high-value targets like master passwords or encryption keys, aim for 100+ bits. Each additional bit doubles the attacker’s required effort.
Does adding special characters always increase entropy?
Only if the characters are chosen randomly from the full pool. Predictable substitutions like @ for a or ! at the end add virtually no entropy because attackers already account for these patterns in their dictionaries.
What is the entropy of a 4-word Diceware passphrase?
Using the standard 7,776-word Diceware list, each word contributes 12.92 bits. Four words gives approximately 51.7 bits — adequate for low-security uses. For important accounts, use 5-6 words (64-78 bits).
Is Math.random() safe for generating passwords?
No. Math.random() is a pseudorandom number generator that is not cryptographically secure. Use crypto.getRandomValues() in the browser or crypto.randomBytes() in Node.js for security-sensitive random generation.
How does bcrypt’s cost factor affect security?
Each increment of bcrypt’s cost factor doubles the computation required to hash (and therefore to brute-force) a password. A cost of 12 means 2¹² = 4,096 iterations, effectively adding 12 bits of difficulty on top of the password’s intrinsic entropy.
What changed in NIST’s 2024 password guidelines?
NIST SP 800-63B dropped mandatory complexity requirements (forced special characters, mixed case) and periodic password rotation. The new guidance favors longer passwords (15+ chars recommended), screening against breached password databases, and allowing all printable characters including spaces.
Key Takeaways
- Entropy = L × log₂(R) — each extra bit doubles the number of guesses needed
- Length > complexity — adding one character is more effective than expanding the character set
- Use crypto APIs —
crypto.getRandomValues()orcrypto.randomBytes(), neverMath.random() - Password manager + random generation is the best practice for most people
- Server-side matters too — use bcrypt or argon2, never store passwords with MD5
Ready to generate a high-entropy password? Try our Random Password Generator — it shows real-time entropy analysis for every password you create.